Security Forem: Dinesh Dawonauth

I Over-Engineered My Portfolio Into an Operating System

Dinesh Dawonauth — Wed, 14 Jan 2026 13:49:33 +0000

This is a submission for the New Year, New You Portfolio Challenge Presented by Google AI

About Me

Most portfolios say "attention to detail" somewhere in the copy but then you view source and find inline styles and console errors.

I'm a Data Engineer in Toronto and I wanted a portfolio that proved the claims instead of making them. So I built something that either works flawlessly or exposes me as a fraud. High stakes. Good motivation.

Portfolio

NOTE: Debate Lab and Yield cannot run inside an embedded iframe.

Cross-frame rendering is intentionally disabled to mitigate clickjacking and other UI-redress attacks.

For the full, secure experience, visit dineshd.dev.

How I Built It

The site is a desktop operating system running in the browser. Boot sequence, window management, dock, terminal. Every page is an app that opens in a draggable, resizable window.

Tech Stack:

Next.js 16, React 19, TypeScript in strict mode
Tailwind CSS v4, Framer Motion, Zustand
Vitest for testing
Google Cloud Run

Architecture

I separated concerns the way actual operating systems do. The os layer handles windows, the dock, the desktop. The apps layer contains applications. Apps never import from OS internals. This keeps things clean. I can add new apps without touching window management. I can refactor the dock without breaking the terminal.

Infrastructure:

Six CI workflows run on every PR. Build, test, security audit, link checking, bundle size monitoring. Nothing merges without passing all of them.

Lighthouse scores sit above 90 across the board. On a site with drag physics, iframe embeds, and boot animations. It took effort.

How Gemini Fit Into the Process

I used Gemini throughout for planning and structure. Not to write code. To think.

"Window management" sounds like one feature until you start listing edge cases. Drag boundaries. Resize constraints. Z-index stacking. Focus transfer on close. Minimize and restore state. It sprawls fast.

I'd describe a feature area to Gemini and ask it to break things down into epics. Here's a trimmed version of the prompt I used:

You are a Senior Product Manager with technical fluency 
in modern web applications (Next.js / React).

Convert identified feature areas into well-scoped PM epics 
suitable for an engineering backlog.

For each epic:
- Title and goal
- Scope boundaries
- Stories with acceptance criteria
- Implementation order with rationale

Gemini returned structured epics with stories, acceptance criteria, and sequencing. Ready to drop into Notion.

Same approach for testing plans. Describe a component, get back coverage for happy paths, edge cases, failure modes. Review, adjust, execute.

The real value was upstream. Articulating a feature clearly enough for Gemini to understand it forced me to actually understand it. Half the bugs I avoided were caught in the prompting phase.

What I'm Most Proud Of

The terminal works. Not a fake CLI that prints strings. Real command parsing. ls, pwd, whoami, help. Easter eggs I won't spoil here.

Projects run inside the portfolio. My other apps open as windows. Visitors don't leave the site to see my work. They use it in context.

The invisible stuff: Keyboard navigation. Screen reader support. Reduced motion respected. Accessibility was a constraint from the start, not a box I checked later.

The over engineering was the point. Anyone can claim production ready code. Showing a GitHub repo with CI pipelines, test coverage, and passing accessibility audits is harder to fake.

Open some windows. Drag them around. Try the terminal.
If it breaks, that's on me.

I Over Engineered My Portfolio Into an Operating System. No Regrets.

Dinesh Dawonauth — Tue, 13 Jan 2026 23:31:37 +0000

It all started as a landing page. Hero section, project cards, a contact form. The kind of portfolio every bootcamp graduate ships in a weekend.
Then I added a dock. Then window management. Then a terminal with easter eggs. Then a boot sequence. Then CI/CD pipelines and unit tests.
Somewhere along the way, my portfolio became an operating system.

Why Though

I'm a Data Engineer trying to prove I can build visually stunning, functional frontends. "I know React" doesn't cut it anymore in a world full of AI slop websites. Everyone knows React.
So I asked myself a different question, what if my portfolio didn't just list my skills but actually showcased them?
Not a static page that says "I'm good at UI/UX". But, an actual interface that proves it.
Not bullet points about "attention to detail", a boot sequence that nails the timing down to the millisecond.
Not claims about "production ready code" but a GitHub repo with CI/CD, unit tests and Lighthouse scores above 90 (crazy for a portfolio built like an OS with lots of moving parts)
The over engineering wasn't scope creep. It was the point.

What I Built

When you land on the site you see a desktop. Wallpaper, dock at the bottom, status bar with a clock. Every page is an app that opens in a draggable, resizable window. Minimize, maximize, close. It all works.

The dock has Mac OS style magnification on hover. Icons that bounce when clicked. The terminal accepts real commands with easter eggs (I'll let you find that out for yourself 😄)

And here's the part I'm proudest of- My actual projects run inside the portfolio as embedded apps. Visitors don't leave to see my work. They experience it in context.

The Stuff Nobody Sees

This is what separates side projects from production apps.

The GitHub repo has six CI workflows: build, test, security audit, link checking, bundle size monitoring.
Every PR needs green across the board.

Yes, I wrote unit tests for a portfolio site. The critical paths covered are window management, focus handling, and preference persistence.

Lighthouse scores are 90+ across the board. On a site running a window manager with drag physics and iframe embeds.
Accessibility? Screen reader compatible, keyboard navigable, reduced motion respected. Not an afterthought.

The Takeaway

Your portfolio is a product. Treat it like one.

"I know React" is forgettable. "I built an entire operating system in React" starts conversations.

If you want to play around 👉🏽 dineshd.dev

Open some windows. Try the terminal. Find the easter eggs.
And if you've ever over engineered a side project just to prove you could, drop it in the comments!

P.S. Yes, it works on mobile. No I won't be taking questions about my life choices 🤫

Looking for feedback on a small side project I’ve been building

Dinesh Dawonauth — Mon, 22 Dec 2025 18:39:06 +0000

I’ve been spending nights and weekends hacking on a side project and figured it was time to put it in front of other developers and get some real feedback.

The project is called PassFX. It’s a terminal-based password manager that works entirely offline. No cloud sync, no browser extensions, no accounts. Everything lives locally and is encrypted with a single master passphrase.

I didn’t build this to compete with existing password managers. This was more about exploring a specific idea:

What does a minimal, auditable, developer-friendly password manager look like if you remove the cloud completely?

Why I built it

I wanted something:

I could use on offline or air-gapped machines
That didn’t depend on browser extensions
Where I fully understood the threat model and tradeoffs

It’s been a good learning exercise around encryption, key management, and designing UX when all you have is a terminal.

What I’m looking for

I’m mostly looking for honest developer feedback:

Does the approach make sense?
Are there obvious design or UX issues?
Anything that feels unnecessary or missing?
Would you ever use something like this, or is it solving a problem nobody has?

If you’re curious, the repo is here:
GitHub: https://github.com/dinesh-git17/passfx

Looking for security feedback on a side project I’ve been building

Dinesh Dawonauth — Mon, 22 Dec 2025 18:34:56 +0000

I’ve been working on a small side project in my spare time and I’d love some honest security focused feedback from this community

The project is PassFX - a terminal based password manager designed to work entirely offline. No cloud sync, no accounts, no browser extensions. Everything is encrypted locally and unlocked with a single master passphrase that never leaves the machine.

The core idea is simple:
reduce attack surface by removing the cloud entirely.

I wanted something:

I could use on an air-gapped or offline machine
That didn’t rely on a browser extension or remote service
Where I could reason clearly about the threat model

This isn’t meant to replace enterprise solutions or compete with hosted managers. It’s more of an exploration into how minimal and auditable a password manager can be while still being usable day to day for developers.

What I’m looking for feedback on

I’m especially interested in thoughts around:

Cryptographic choices and key derivation approach
Threat model assumptions (what I’m missing or underestimating)
Secure storage practices on disk
UX tradeoffs in terminal-only security tools
Any obvious “don’t do this” red flags

If you’re curious, the repo is here:
GitHub: https://github.com/dinesh-git17/passfx

I don't trust password managers. So I built one.

Dinesh Dawonauth — Mon, 22 Dec 2025 18:22:20 +0000

Github: PassFX Repo
Webpage: PassFX Landing Page

After years of watching cloud first password managers get breached, acquired, or quietly change their terms of service, I decided the only one I could trust was one where I could read every line of code.

Two months later: PassFX, a terminal password manager that never touches a network.

The Problem

Every single password manager I tested ultimately requested that I send all of my passwords to another company’s server and then trust them not to mess anything up.

Although Cloud Sync is very easy to use, this greatly increases your risk.

I’m a terminal user, but every terminal based password manager I used had a user interface from 1987 and/or would require you to learn obscure command line switches in order to perform the most basic functions. I was looking for security and a user interface that did not force me to close my computer.

What PassFX Is

Local first, Offline Only, Password Manager with a Textual TUI.

Your Vault exists in ~/.passfx/ and NOWHERE ELSE

Security Model: If you want to get your passwords, they have to be physically on your computer AND have your Master Password. NO NETWORK = NO REMOTE ATTACKS. NO CLOUD = NO THIRD PARTY BREACHES. NO RECOVERY = NO BACKDOOR.

If you lose or FORGET your Master Password... GONE. Not a Bug; That's The Security Model.

Storing: Email Credentials, Credit Cards, Phone PINs, API Keys, 2FA Recovery Codes, Encrypted Notes.

Encryption: Fernet (AES-128-CBC + HMAC-SHA256), PBKDF2 with 480,000 Iterations, 256-Bit Salts. I did NOT create my own encryption — I READ THE RULES.

Who this is for:

PassFX is right for you if you are:

Comfortable working from the Terminal
Want to know how your Password Manager works
Are okay with “Forgot my password”=“I lost my data”
Think “Zero Network Code” is reassuring and not limiting

The Paranoid Parts

I spent more time on security testing than features. The test suite is 1.5x the production code:

Passwords excluded from all logs
Vault files contain zero plaintext (binary inspection)
File permissions verified on every write
Constant-time password comparison
PBKDF2 iterations locked at exactly 480,000

A PR that weakens security parameters fails CI. Not "might fail"—will fail. Tests use exact equality, not minimums.

Clipboard auto-clears after 15 seconds. Because "pasted my database password into Slack" is nobody's favorite story.

What It Doesn't Have

Cloud sync
Mobile app
Browser extension
Breach scanning
Telemetry

Every feature is attack surface. I wanted one thing: store credentials locally, encrypt properly, get out of the way.

The UI

Terminal apps don't have to look like tax software. Cyberpunk aesthetic matrix green, deep blue-black, neon accents. Keyboard navigation, mouse support, modal dialogs, searchable lists.

a to add, e to edit, d to delete, c to copy, Esc to go back.

It's a password manager, not a puzzle game.

Feedback Welcome

GitHub repo. Security model in SECURITY.md. Threat model is explicit about what it protects and what it doesn't.

Find a bug? Open an issue. Security vulnerability? Report privately via GitHub Security Advisories or security@dineshd.dev.

PRs are welcome as long as they don't weaken security. The tests will tell you if you tried.

Install

pip install passfx
passfx

First run creates your vault. Make the master password strong. There's no recovery, and that's the point.

Your passwords belong to you. Not to a company. Not to a cloud.

If that resonates, check it out.